The House Government Reform Committee grades agencies on computer security once a year, but the U.S. Agency for International Development sends its managers a report card every month.

The security grades are assigned to individual members of the Senior Executive Service stationed at USAID's 80 offices worldwide. That fact tends to put lower-ranking systems administrators on their mettle, said Philip M. Heneghan, the agency's information systems security officer.

He said he finds the monthly reports very effective in making sure software patches are installed promptly. 'If managers get a C or an F, they call me,' he said. 'Pretty soon it gets fixed. We work in 20 time zones, and a worm can travel around the globe pretty quick.'

Heneghan doesn't reveal individual grades to other executives, but he does give them a comparative sense of how well different offices are doing. Lately, he said, regional managers have been asking how their regions rank so they can tell their own bosses.

USAID CIO John Marshall 'is always talking about performance metrics,' Heneghan said. The Office of Management and Budget 'has a strong metrics push, and we're implementing it.' The team includes deputy CIO for operations John Streufert and deputy information security officer George C. Moore.

A bad grade, Heneghan said, generally means the local systems administrator has neglected to log on to USAID's secure Web server to read security status reports generated throughout the agency by an nCircle IP360 vulnerability management system from nCircle Network Security Inc. of San Francisco.

'The tool has been very good,' Heneghan said. 'The nice thing is that we can do continuous scans.' Before nCircle's installation in February, he said, 'we scanned our 15,000 networked devices only once a month, and it was tough to get reports out. Now anybody in charge of devices can see what's going on.'

The main job is keeping local administrators up to speed about the frequent software patches needed to protect devices running Microsoft Windows 2000, Internet Information Server, SQL Server, Oracle, Apache Web Server, Linux and Unix. NCircle reports the missing patches on each device but does not automatically download them.

The scans have even picked up a few systems that local administrators were still configuring. 'We tell them, 'Don't put vulnerable machines on our network'we'll ding you,' ' information systems security program manager William Geimer said. 'That brings everybody off their chairs.'

The nCircle scans must negotiate a variety of connections ranging from satellites to WANs to startup Internet services in developing nations. 'It's hard to get the connectivity,' Heneghan said. 'We need a lot of redundancy.'

Each of the 80 offices has a staff of six to 300 people who deal with local institutions that distribute U.S. foreign aid for agriculture, economic development, education, governance, health and reconstruction.

'The State Department handles government-to-government transactions,' Heneghan said. 'USAID does all the other communication.'

The nCircle appliances scan not just operating systems and applications but also server and router ports, services, IP phones and wireless access points. 'It ranks the vulnerabilities by numbers, severity and asset value,' said nCircle president and CEO Abraham Kleinfeld. 'The risk profile can prioritize fixes and set a timeline.'

Once a defect is remedied, nCircle rescans to validate the fix. 'It doesn't push out the patches because automatic patching is dangerous in large environments,' Kleinfeld said. 'There's no standard solution to every problem, but 99 percent of network attacks are against known vulnerabilities for which fixes exist.'

Government agencies are sensitive about who has access to the scans, he added: 'There are no disk drives inside the appliances, and only certain people know where and how to get the information.'

Geimer said he uses 12 nCircle profile appliances and prioritizes the network's 20 most-vulnerable areas with a daily average score. 'The number of appliances you need depends on the number of IP addresses and how often you scan,' he said.USAID pays nCircle an annual fee of 20 percent of the initial price, he said, for 24-hour technical support plus software and vulnerability signature updates.

Now that the appliances have been at work for several months, Geimer said, the number of false-positive reports is low and security vulnerability 'is trending down every month, so we raise the bar every month.'